IETF 66 Enhanced EAP-TLS Discussion - PowerPoint PPT Presentation

About This Presentation
Title:

IETF 66 Enhanced EAP-TLS Discussion

Description:

Or a single EAP-TLS based method to support all enhanced features? July 12, 2006 ... Develop an Enhanced EAP-TLS method supports all requirements in Slide 2. ... – PowerPoint PPT presentation

Number of Views:24
Avg rating:3.0/5.0
Slides: 6
Provided by: haoz8
Learn more at: https://www.ietf.org
Category:
Tags: eap | ietf | tls | discussion | enhanced

less

Transcript and Presenter's Notes

Title: IETF 66 Enhanced EAP-TLS Discussion


1
IETF 66Enhanced EAP-TLS Discussion
  • Hao Zhou
  • Cisco Systems, Inc.
  • hzhou_at_cisco.com

2
Requirements
  • RFC2716bis focuses on describing current EAP-TLS
    implementation, no new enhancements
  • New cipher suites, such as PSK, Kerberos, ECC
  • New TLS extensions, e.g., authorization
    extension, identity protection extension.
  • RFC4017 requirements channel binding, identity
    protection, shared state equivalence.
  • RFC4017 requirement authentication methods
    beyond certificates
  • User name and password, secure token card, mobile
    credentials, asymmetric credentials (password one
    side and private/public key on other side)
  • Any others enrollment, arbitrary data exchange,
    bootstrapping?

3
Weak Password Support
  • Part of the WG charter
  • Support existing databases with weak password
  • Existing solutions are thru tunneling TLS based
    method., e.g., PEAP, EAP-FAST, EAP-TTLS.
  • Do we continue to use TLS-based approach?
  • Does it make sense to develop a single enhanced
    EAP-TLS protocol to address this requirement?

4
How Many EAP-TLS Types are Required?
  • Type 13 for RFC2716 EAP-TLS
  • Type X for Enhanced EAP-TLS
  • Type Y For EAP-TLS PSK
  • Type Z for weak password support
  • Type ? for
  • Or a single EAP-TLS based method to support all
    enhanced features?

5
Proposal
  • Develop an Enhanced EAP-TLS method supports all
    requirements in Slide 2.
  • Allow client optionally not send client
    certificate in TLS handshake but go thru a second
    inner authentication in the protected TLS tunnel,
    which supports legacy weak password database.
  • It could be done thru inner EAP method in TLS
    Application data or TLS InnerApplication
    exchange.
Write a Comment
User Comments (0)
About PowerShow.com